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Mayers fj||, Lo and Chau|^, ^| argued that all quantum bit commitment protocols are insecure, 
because there is no way to prevent an Einstein-Podolsky-Rosen (EPR) cheating attack. However, 
Yuen ^, ^| presented some protocols which challenged the previous impossibility argument. Up to 
now, it is still debated whether there exist or not unconditionally secure protocols Q. In this paper 
the above controversy is addressed. For such purpose, a complete classification of all possible bit 
commitment protocols is given, including all possible cheating attacks. Focusing on the simplest class 
of protocols (non-aborting and with complete and perfect verification), it is shown how naturally 
a game-theoretical situation arises. For these protocols, bounds for the cheating probabilities are 
derived, involving the two quantum operations encoding the bit values and their respective alternate 
Kraus decompositions. Such bounds are different from those given in the impossibility proof jj], ^, ^ . 
The whole classification and analysis has been carried out using a finite open system approach. 
The discrepancy with the impossibility proof is explained on the basis of the implicit adoption 
of a closed system approach — equivalent to modeling the commitment as performed by two fixed 
machines interacting unitarily in a overall closed system — according to which it is possible to assume 
as openly known both the initial state and the probability distributions for all secret parameters, 
which can be then purified. This approach is also motivated by existence of unitary extensions 
for any open system. However, it is shown that the closed system approach for the classification of 
commitment protocols unavoidably leads to infinite dimensions, which then invalidate the continuity 
argument at the basis of the impossibility proof. 

PACS numbers: 03.67.Dd, 03.65.Ta 



I. INTRODUCTION 

Among all kinds of quantum cryptography protocols, 
the quantum bit commitment is a crucial element to build 
up more sophisticated protocols, such as remote quantum 
gambling ||] , coin tossing || , and unconditionally secure 
two-party quantum computation JTo| . Therefore, it is 
of practical relevance to establish if there exist secure 
quantum bit commitment protocols. 

In the bit commitment Alice provides Bob with a piece 
of evidence that she has chosen a bit b = 0, 1 which she 
commits to him. Later, Alice will open the commitment, 
revealing the bit b to Bob, and proving that it is indeed 
the committed bit with the evidence in Bob's posses- 
sion. Therefore, Alice and Bob should agree on a proto- 
col which satisfies simultaneously the three requirements: 
(1) it must be concealing, namely Bob should not be able 
to retrieve b before the opening; (2) it must be binding, 
namely Alice should not be able to change b after the 
commitment; (3) it must be verifiable, namely Bob must 
be able to check b against the evidence in his possession, 
according to the rules of the protocol. In a in-principle 
proof of security of the commitment it is supposed that 
both parties possess unlimited technology, e. g. compu- 
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tational power, space, time, etc., and the protocol is said 
unconditionally secure if neither Alice nor Bob can cheat 
with significant probability of success as a consequence 
of physical laws. 

In 1993, a quantum mechanical protocol was 
proposed J9|, and the unconditional security of this pro- 
tocol has been generally accepted for long time. The 
insecurity of this protocol was shown by Mayers, Lo and 
Chaujl], 0, [| in 1997, where it was recognized the pos- 
sibility for Alice to cheat by entangling the committed 
evidence with a quantum system in her possession, and 
it was argued that no unconditionally secure protocol 
is possible. Finally after 2000 YuenJ|, |[ |(| presented 
some protocols which challenged the previous impossi- 
bility proof, mostly on the basis of the possibility of en- 
coding the bit on an anonymous state given to Alice by 
Bob and known only to him, and suggesting the use of 
decoy systems that make the protocol concealing in the 
limit of infinitely many systems, with the possibility for 
Bob of performing his quantum measurement before Al- 
ice opening, whence disputing the general availability of 
EPR cheating for Alice. Besides the above schemes, pro- 
tocols have also been suggested based on the theory of 
special relativity [ |TT) (for historical reviews on the quan- 
tum bit commitment see Refs. || ^]). Here, however, we 
will consider only non relativistic protocols. 

In this paper, in order to provide clarifications on the 
issue of existence of unconditionally secure protocols, we 
will give a complete classification of all possible bit com- 
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mitment protocols based on a single commitment step, 
and show how a multi-step commitment can be reduced 
to a single one. We will analyze all possibilities of cheat- 
ing for both parties. Then, we will focus on the sim- 
plest class of protocols, namely the non-aborting pro- 
tocols with complete and perfect verification, showing 
that naturally a game-theoretical situation arises. As we 
will see, even though perfectly concealing protocols are 
certainly not binding (i. e. Alice has a unit cheating 
probability), the protocol could still be binding if it is 
e-concealing. Bounds for the cheating probabilities of 
these protocols are derived, involving the two quantum 
operations encoding the bit values and their respective 
alternate Kraus decompositions. Such bounds turn out 
to be different from those given in the impossibility proof 
[jl], [|. In the final discussion we will see how the dis- 
crepancy between the two opposite analysis arises, as a 
result of the restrictive assumption — which lies beneath 
the impossibility proof — of openly known, whence pu- 
rifiable, probability distributions for all secret parame- 
ters. Such an assumption is equivalent to modeling the 
commitment as a closed system made of two fixed ma- 
chines interacting unitarily. It is shown that such model- 
ing, along with the requirement of unlimited technology, 
necessarily lead to infinite dimensions, which invalidate 
the continuity argument at the basis of the impossibility 
proof. Instead, one either needs to prove the continuity 
argument for infinite dimensions, or else must adopt a 
finite open system approach. 



of using decoy systems. The variable j is a secret pa- 
rameter known only to Alice, parametrizing the choice 
of different forms for the modulation, and which will be 
declared to Bob at the opening. 



B. The secret-parameter space 

Alice has always the option of choosing j by prepar- 
ing a secret-parameter space P in a state chosen from an 
orthonormal set and performing the QO on H®P 

j 

with Pj representing the orthonormal projection map 
= |j) 01- The actually performed map de- 

pends on the state preparation pp that Alice choses for 
P, and any (pure or mixed) state will be equivalent to a 
set of probabilities pj = (j\pp \j) for the secret param- 
eter j as follows 

Tr P [MW (Mfe>|® Pp b) )] = ]T Mf (|p) {<p\) (j\ Pp b) | j) . 

j 

(2) 



C. Reduction to trace-preserving maps 



II. THE CLASSIFICATION OF PROTOCOLS 

The most general bit commitment scheme with a single 
step is of the form: (1) Bob prepares the Hilbert space 
H with the anonymous state \ip) € H, and sends H to 
Alice; (2) Alice modulates the value b of the committed 
bit on the anonymous state \tp) and sends the output 
back to Bob. The bit modulation is a quantum oper- 
ation (QO) parametrized by b = 0,1. It is clear that 
this general scheme contains all possibilities, including 
the anonymous-state based protocols of Yuen j|, [|, || Q , 
and, as a special case, the original protocols by Mayers 
H, and Lo and Chau(|, ||, which correspond to openly 
known state \tp). 



A. Bit modulation 

To make the protocol concealing and at the same time 
verifiable, the modulation must be a choice between two 
ensembles of QO's {Mf ] } for b = 0,1, from T(H) to 
T(K), where T(H) denotes the set of traceclass opera- 
tors on H , and generally the two Hilbert spaces K and H 
are not isomorphic. We will name the cases K D H and 
K C H extending modulation and restricting modulation, 
respectively, the extending case including the possibility 



The maps Mj ' are generally trace-decreasing, i. e. 
they may be achieved with nonunit probability. In terms 
of the Kraus decomposition for any input state p 

M ? ) (p) = E<^ )t ' (3) 

i 

this means that generally 

J2E^E$><L (4) 

i 

Strictly trace-decreasing maps correspond to aborting 
protocols, namely when Alice doesn't succeed in achiev- 
ing the map the protocol is aborted. By completing the 
sum in Eq. (Q) with additional terms in order to get the 
identity, we see that a trace decreasing map is equiva- 
lent to a trace preserving one, with additional outcomes 
i corresponding to the protocol aborted. 



D. Reduction to unitary 

Alice has unlimited technology, whence she can always 
achieve knowingly, i. e. she has the option of achiev- 
ing each trace-preserving map as a perfect pure mea- 
surement. This can be done as follows (in the following 
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we will temporarily drop the indices b and j). The trace- 
preserving QO can be written in the form 

M(p) = Tr F [EpE% 

E = J2 E i® K)f e B(H,K® F) isometry, ( 5 ) 

i 

for a suitable ancillary space F (notice the tensor nota- 
tion E ® \ip)p that for operator in B(H, K) represents 
an "extension" operator from H to K ® F. By unitary 
embedding H into K <g> F ~ H <g> A for another suitable 
ancillary space A as E = U(Iy\ ® |w) A ), with C7 unitary 
on H ® A ~ K <g> F, we have 



M( /9 ) = Tr F [C/( /9 ®|w)(o;|A)C/ t ], 



(6) 



namely Alice prepares the ancilla (and decoy systems) in 
the state \u), and then performs a complete von Neu- 
mann measurement on F, with outcome i, which she 
keeps secret [the possibility of using a more general type 
of measurement is already considered in an extended 
space F]. The strictly trace-decreasing case would cor- 
respond to write 

M(p) = Tr F [(/K®S F )C/(p®|w)(a;|A)C/ t ], (7) 

with X F orthogonal projector on a subspacc of F. In 
conclusion, Alice can achieve the QO M(p) = £\ E iP Ej 
knowingly by: (1) preparing an ancilla/decoy state |w) A G 
A; (2) performing a unitary transformation [/ on H ® A; 
(3) performing a complete von Neumann measurement 
on F, with K ® F ~ H <g> A and outcome i; (4) sending 
K to Bob. Notice that we can have both extending and 
restricting protocols, depending on the choice of A and 
F. At this point, the encoding maps are given by 

MW(|^|) = 

5>f Tr F [(/ K ^)uj b \\ V )( V \ \u>)(u>\i)uj b % (8) 



with \u>) independent on j and 6, since any dependence 
can be included in Uj b \ Notice that if all orthogonal 
projectors S^ 6 ' on subspaces of F have the same rank, 
their dependence on j and b can also be included in t/j 6 ' , 

but generally rank(S^) depends on both j and b. For 
the moment, we will focus attention on the case in which 
rank(E^) is independent on j. Now, by considering the 

unitary operator U (b) = £\ C/j h) <g> \j)(j\ over H<g>A®P ~ 
K ® F ® P, we see that Alice can achieve any possible 
commitment step as follows 



M (b) (MM) = 

Tr F8P [(/ K ® E< 6) )tf (6) (l¥>><¥>l ® |w)Ha ® p P )t/ (b)t ], 



(9) 



where also pp is independent on 6, whence, since also the 
probabilities p^p will be independent on b, we will denote 
them simply as pj . 



E. Opening step 

In a protocol which is completely and perfectly ver- 
ifiable Alice tells b along with the secret parameter j 
and the secret outcome i to Bob, who verifies the state 
EjV\ip). (In a protocol that is not perfectly verifiable, the 
disclosed state is generally mixed, e. g. Alice keeps the 
outcome i secret, or join outcomes in composite events as 
in a degenerate Ludcrs measurement). However, we em- 
phasize that, whatever is the rule for the opening, Alice 
has always the option of achieving the encoding QO by 
performing a complete von Neuman measurement. Since 
the local QO's on K and F ® P commute, Alice has the 
possibility of: (1) first sending K to Bob; (2) then per- 
forming the measurement on F <E> P at the very last mo- 
ment of the opening. As we will see, this is the basis for 
Alice EPR cheating attacks. Notice that strictly trace- 
decreasing QO's — i. e. aborting protocols — pose limita- 
tions to Alice's EPR cheating. In fact, Alice cannot de- 
lay the abortion of the protocol at the opening, and must 
declare it at the commitment. Since both secret parame- 
ters j and i can be conveniently measured by Alice, they 
can be treated on equal footings as a single parameter 
J = The two maps are then 



M< 6 >(|p>M)=5>Mf (MM) 
j 



(10) 



with Ef 



VPj4 b) GB(H,K). 



F. Reduction to a single commitment step 

A protocol with more than a commitment step gener- 
ally consists of a sequence of conditioned QO's, namely 
in which one party is requested to make a different QO, 
say {N( x )}, depending on the outcome x of a previous 
QO from the other party. However, the same result is 
achieved by automatizing the conditioned QO, and using 
instead the unconditioned one N = J2 X ® P^ on an 
extended Hilbert space H (g> N, without even knowing x. 
If the knowledge of x is requested only at the opening - 
as for nonaborting protocols — then the orthogonal mea- 
surement P x can be delayed up to the opening moment, 
since the notepad space N is kept by the party. Then, 
analogously as for a single commitment step, each QO 
can be achieved knowingly, by means of a pure measure- 
ment, with a suitable unitary embedding. Again, since 
the measurement-ancillary space (F in the above ana- 
lyzed single commitment step) is kept by the considered 
party, its measurement can be delayed up to the opening 
moment (for strictly trace decreasing maps the two par- 
ties can agree to declare the abortion at the end of the 
whole commitment). At this point, we have a sequence of 
interlaced unitary operators, one from each party alter- 
natively, e. g. for three steps U'^UbU^\ where clearly 
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the unitary transformation by Bob Ub cannot depend 
on b. Now, for a numerable set of possible unitary trans- 
formations Ub € {Ui}, Bob can use instead the unitary 
Us = ^2iUi <g> \l){l\ by preparing a state from an or- 
thogonal set {\l}} on an additional Hilbert space. There- 
fore, the choice of the unitary is equivalent to the state 
preparation of another anonymous-state Hilbert space. 
In conclusion, from the arguments above we see that the 
whole multi-step (non aborting) protocol is equivalent to 
a single-step one, with larger spaces H, K, A, F, and P. 
We don't know what is the minimal Hilbert space for 
anonymous-state preparation of a generally continuous 
set of unitary operators, for which one may need a non 
separable space. Notice that with a teleportation proto- 
col it is possible to achieve any contraction on a space 
H by performing a state preparation on the space H £g> H 
of the entangled resource, however, only with probability 
equal to dim(H)~ 2 . 

G. Classical protocols 

It is obvious that a classification of quantum proto- 
cols must include also the classical ones as a particular 
case. In fact, the classical protocols correspond to con- 
sider just orthogonal states, and QO's on abelian opera- 
tor algebras. Consider, for example, a one-way trapdoor 
function /aC?), where the integer j plays the role of the 
secret parameter. Let the value b if the committed bit be 
the parity of j. Then, Alice sends the state \n) ® |/a) to 
Bob, with n = /a (.?')■ Bob can verify that /a is indeed 
one-way. However, since he cannot compute j from the 
knowledge of n, he can just guess whether j is even or 
odd. At the opening Alice tells j to Bob, and Bob verifies 
that indeed n = /aO) and evaluates the parity of j. 

III. CHEATING 

For the moment we will focus attention on non- 
aborting protocols, postponing the discussion of the 
aborting (strictly decreasing) case. Alice can cheat at two 
different moments: before and after the commitment. We 
will name the two cases: pre-cheating and post-cheating, 
respectively. Bob, as we will see, can perform a combined 
attack before and after the commitment. The possibility 
also for Alice of performing a combined attack will be 
also discussed. 



A. Alice pre-cheating attacks 

These correspond to prepare the ancillary spaces A<g> P 
in a state not of the prescribed form |w)(a;|A <8> pp- This 
will generally lead to QO's different from the ones pre- 
scribed from the protocol. In the following, we will not 
further analyze pre-cheating, for the two following rea- 
sons: (1) it seems that there is no practical use for Alice 



to cheat before knowing if the committed bit needed to be 
changed; (2) either there is a chance that the pre-cheating 
will be detected at the opening, or it would lead to QO's 
indistinguishable from the prescribed ones, in which case 
it will give the same result of a post-cheating attack con- 
sidered in the following. Finally, notice that a cheating 
attack based on changing the prescribed unitaries U^ 
belongs to the same class of pre-cheating attacks, and 
the same considerations hold. 



B. Alice post-cheating attacks 

After the commitment and before the opening Alice 
can try to cheat by performing a unitary transforma- 
tion V on F ® P: this is the so-called EPR attack. The 
maneuver will not change the QO's M^, however, it 
will change the Kraus decompositions — which are rele- 
vant at the opening — giving a new set of contractions 
{Ef} -> {E { j\v)} with the same cardinality, in the 
following way 

E { »\V) = Y J E { * ) V JL , V JL = (J\V\L). (11) 

L 

Another attack available to Alice is also that of declaring 
a J different from the actual outcome: however, since 
Alice doesn't know the anonymous state \ip), she must 
adopt a fixed rule to scramble the J's, and being just a 
permutation, this cheating is again equivalent to a uni- 
tary cheating transformation V. 

The probability that Alice can cheat successfully in 
pretending having committed, say, b = 1, whereas she 
committed 6 = instead, is given by 

and it clearly depends on the anonymous state \ip) and on 
the cheating transformation V. However, Alice doesn't 
know | ip) , and the optimal choice of V obviously depends 
on \<p). So, which is the transformation V to be used? 
Without any knowledge of \<p), the best Alice can do 
is to adopt a conservative strategy, by choosing the V 
such that the minimum P(V, <p) for \if) chosen by Bob 
is maximum, namely she maximizes her probability of 
cheating in the worst case, corresponding to the minimax 
choice of V 

(P c ^=maxminP c A (^). (13) 

V f 

It is evident that in this way a game theoretical situa- 
tion arises, in which Bob choses \ip) and Alice choses V, 
with the probability P(V, if) playing the role of a payoff 
matrix. Obviously Alice and Bob can generally adopt 
randomized strategies, which can then be purified via 
entanglement with an ancillary system. However, in the 
general situation the game is further complicated by the 
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fact that Bob's choice for \ip) is also dictated by max- 
imization of his own probability of cheating (see later), 
and all other parameters — such as Alice secret parameter 
j — must enter the game. Since we are only interested to 
set the debate on the impossibility proof|l], 0, [| via a 
complete classification of all protocols and cheating at- 
tacks, this game situation, which arises as a consequence 
of using anonymous states, will be analyzed elsewhere. 

Another possibility for Alice's choice of V would be 
that of maximizing the probability P(V, ip) averaged over 
all anonymous states, with the unitarily invariant proba- 
bility measure d fJ-(<p) on the (compact) manifold of pure 
states, namely 



(Pc)o 



max 
v 



(14) 



However, such a (pure) strategy will not be optimal if 
Bob chooses a non uniform probability distribution, e. g. 
a delta-function, and the actual probability of cheating 
could be much lower than the one in Eq. (|l4|). It is 
obvious that for compact manifold of states — i. e. for 
finite dimensions — then the two probabilities in Eqs. ( |l3| ) 
and (|lj) will be related by a constant depending on the 
dimension of H. 

The evaluation of the average in Eq. ([u]) is made 
difficult by the presence of the norm in the denominator. 
When the encoding for b = 1 is random unitary, i. e. 



E 



(i) 



with unitary Uj, the evaluation of the 



average in Eq. (|14|) is simplified by the following identity 
which holds for any couple of operators A, B £ B(H) for 
d = dim(H) < oo 



dti(<p)(<p\A\<p)(Lp\B\<p) 
1 



(15) 



[Tr(A) Tr(B) + Tr(AB)]. 



Using Eq. 
rewrites 

(P c )av 



d(d+l) 

15| ) the averaged probability in Eq. 
1 



d(d+l) v 



E 

L 



Tr [U^E 



Vlj 



(16) 



which can be bounded as follows 

' <(P c A )av< ' ' 



1 



d+1 d(d+l) 



IIZIIi > 



Zfj L )K= r Tr[U i K )i E^]Tr[U K 



(i) 



4°)t] 



(17) 



where || - j| ^ denotes the trace- norm, and the matrix 
%(jl)k has to be considered as rectangular, with (JL) 
as a single index. From Eq. ( p~7| ) we see that in order to 
reduce Alice's cheating probability we better increase the 
dimension of the anonymous-state Hilbert space. The up- 
per bound in Eq. (|l7]) could be useful for proving uncon- 
ditional security of the protocol: however, we don't know 



if the trace norm in Eq. fll7j ) is bounded as fZ^ < d , 
otherwise the bound ( \\J\) would be useless (one can check 
that JZJj = d 2 in the perfectly concealing case). 



C. Bob cheating 



Bob can try to cheat by making the best discrimina- 
tion between the two maps 

M(b) = T,jPj M f } - However, 
since he doesn't know the probabilities pj actually used 
by Alice, his strategy will be suboptimal, and his actual 
cheating probability Pf will be lower than the probabil- 
ity (Pc)opt corresponding to the optimal strategy with 
the right probabilities pj. Since map-discrimination is 
generally more reliable with the map acting locally on 
an entangled state [12], instead of preparing 6 H Bob 
prepares an entangled state on H (£> R and sends only 
H to Alice. (Here, we can see clearly that the use of 
anonymous states in the protocol, while limiting Alice 
EPR cheating attacks, at the same time allows Bob to 
perform EPR attacks himself). Therefore, Bob's optimal 
probability of cheating is bounded as follows (for equally 
probable bit values b = 0, 1) 



Pc < (Pi 
i 

max — 

|^)GH®R 4 
1 1 



1 



Jopt 



- + 



M«®Ir(|vj><¥»|)-MW®Ir(|^)(v>|) 



(18) 



cb 

where^ |-| cb denotes the completely bounded (CB) 

normp3|, and we used the fact that the difference of two 
CP maps is Hermitian-preserving, whence its CB-norm is 
achieved on a normalized vector in H <g) R. Notice that for 
trace-preserving QO's the difference — M^ ) is never 
completely positive, and generally an entangled anony- 
mous state improves the discrimination, whereas for 
aborting protocols the QO's are strictly trace-decreasing, 
and the difference map can be completely positive itself, 
in which case the EPR attack is of no use (for such anal- 
ysis on discriminations between QO's, see Ref. fll^l). 



Symbol 


Hilbert space 


H 


Anonymous state 


K 


Output 


A 


Preparation ancilla/decoy 


P 


Secret parameter 


F 


Measurement ancilla 


R 


Bob cheating space 


Rng(E) 


Range of E (abortion) 



TABLE I: List of Hilbert spaces needed for protocol and 
cheating attacks classification. 
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start 


commitment 


after commitment 


Alice 


A, P 


H,A,P 


F,P 


Bob 


H,R 


R 


K, R 



TABLE II: Who owns which space and when. 



D. Discussion on the aborting (strictly 
trace-decreasing) protocols 

In the simplest case in which the projector £ is inde- 
pendent on both b and j, Alice can launch an EPR attack 
easily, performing it on the range space of E. However, 
when the rank of £ depends on b, an EPR attack has 
a probability of being detected by Bob at the opening 
when the attack leads to a larger Kraus cardinality than 
the prescribed one. Notice also that, in general, a de- 
pendence of rank(E) on b and/or j will enhance Bob's 
probability of cheating. 

Up to now we have seen that in order to classify all 
possible protocols and cheating attacks we need to con- 
sider seven Hilbert spaces with different physical mean- 
ings: these are summarized in Tables Q and [H]. 



E. Perfectly concealing protocols 

A perfectly concealing protocol means that the CB- 
norm in Eq. ( |l8| ) is zero, namely the two maps are the 
same. Therefore, the two Kraus are connected via a uni- 
tary transformation V on F®P, and Alice can cheat with 
probability one, namely the protocol is not binding. 



F. Approximate concealing protocols 

We consider now the case in which Bob's probability of 
cheating for the optimal strategy is infinitesimally close 
to the pure guessing probability | , which means that also 
the CB-norm distance between the maps is infinitesimal, 
i. e. — Mw||c6 = e. We emphasize that generally e 

is vanishing for increasing dimension of K (see, for exam- 
ple, some protocols given by YuenQ, where the approx- 
imately concealing condition is achieved for increasingly 
large number of decoy systems) , and no obvious continu- 
ity argument can be invoked to assert that Alice cheating 
probability will approach unit for vanishing e. More pre- 
cisely, in the present context based on anonymous states, 
such an argument (which is at the basis of the impossi- 
bility proof of Refs.0, ||, ||) would imply that for both 
the minimax and the averaged strategies in Eqs. fll3| ) 
and ( |l4|) Alice probability of cheating would be infinites- 
imally close to unit for e — > 0, namely 



1-(^)a 



MW - M<°> 



cb 



(19) 



for some function w(e) independent on the dimension of K 
and vanishing with e. However, using anonymous states 
such assertion may turn out to be false. In fact, it is ob- 
vious that if there is an alternate Kraus decomposition 
{E { j\v)} for the map M<°) such that the two Kraus 

{Ef\v)} and {E^} are close, then the protocol is ap- 
proximately concealing and not binding, since (see Ap- 
pendix) 



(P B ) ---- 
K+c )opt 2 ~ 4 



mW-m(°> 



cb 



< 



1 



4 1} 



p?(y t ip)> 



Y,\e?\v)-e 



1 

1 - - 

2 



.7 



(20) 



,(21) 



where ||-|| denotes the usual spectral norm, and for any 
operator A we use the customary abbreviation \A\ 2 = 
A^A. However, the impossibility proof would be true if a 
bound of the form (|2^) would be satisfied in the reverse 
direction, in which case one would have 



( J P C A ), 



< min 

v 



< 



Y,\e?\v)-e 

J 

w(||m«-m<°> 



(22) 



which would correspond to the following continuity argu- 
ment: if two CP maps are close in CB-norm, then for a 
given fixed Kraus decomposition for one of the two maps, 
there is always an alternate Kraus decomposition for the 
other map such that the two are close. Since one also 
has that \\A\\ < ||^4||2,where ||-|| 2 now denotes the Frobe- 
nius (Hilbert-Schmidt) norm, the bounding (2^) could 
also be written with the Frobenius norm in the middle 
term (see Eqs. ( |20| ) and (pl|)), in which case the minimum 
over V would be in the form of a Procrustes problem juj . 

Since as regards the cheating probabilities we have 
considered only the case of non-aborting protocols with 
perfect-verification, proving the continuity argument ( [22] ) 
or directly the bound (|l^) would means that a secure pro- 
tocol can still be searched outside such class of protocols. 
On the other hand, finding a counterexample to Eq. ( p^| ) 
would provide a perfectly verifiable and unconditionally 
secure protocol. 

Finally, a few words on the possibility of a combined 
pre/post-cheating Alice attack. It is clear that if it leads 
to a set of QO's different from the prescribed ones, then 
it can be detected by Bob at the opening (if it gives the 
prescribed set of maps, then the same effect can be better 
achieved by post-cheating). However, in principle, it may 
help in increasing the overall Alice's cheating probability, 
particularly when there is possibility of abortion, i. e. for 
strictly trace-decreasing protocols. 
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IV. DISCUSSION 

The discrepancy between the previous analysis and the 
analysis beneath the impossibility proof |[ || is es- 
sentially due to the fact that the latter is based on the 
assumption that the starting state of the commitment 
protocol is openly known, in the sense that the prob- 
ability distribution of the state is given, and then the 
corresponding mixed state can be purified. The general 
underlying idea is that the protocol should be processed 
by machines, and therefore all probability distributions 
are defined, and purified inside the machines. However, 
such an assumption is certainly not realistic for a crypto- 
graphic protocol, where each party has actually the free- 
dom of changing or tuning the machine, namely chosing 
any desired probability distribution. Or else, one would 
need to purify the human being himself. Now, if a pa- 
rameter is secret for a party, nobody forbids him/her to 
believe that the other party is still using the same pre- 
pared machine, and accordingly to adopt a Bayesian ap- 
proach with the known a priori probability distribution. 
However, in practice, the other party could have used an- 
other machine and/or with a different preparation. One 
can continue to argue on this line, asserting that changing 
the machine is equivalent to use a larger machine, or, in 
other words, that an unknown probability distribution 
can be regarded as an a priori uniform distribution on 
the space of probability distributions. This line of rea- 
soning, however, constitutes a very dangerous argument 
in a proof, since it is equivalent to consider infinite ma- 
chines or, equivalently, uniform probabilities on infinite 
sets, which then must vanish everywhere. In addition, 
for infinite probability spaces one needs infinite dimen- 
sional purifications, (even worst, for continuous spaces 
one may need non separable Hilbert spaces) . This would 
invalidate an impossibility proof based on a non proved 
continuity argument which a fortiori must apply to infi- 
nite dimensions. Finally, one could now argue that in the 
real world the machines must be bounded: however, this 
assertion would contradict not only the previous assump- 
tion of uniform probabilities (otherwise, which non uni- 
form probabilities are to be adopted?), but also the fact 
that the proof is purported for unconditionally security, 
with both Alice and Bob supposed to possess unlimited 
technology. 

The above hill-posed mathematical framework arises 
from the Bayesian approach to secret parameters, dic- 
tated from the closed system modeling with fixed ma- 
chines and purification of probabilities. This model, 
along with the assumed unbounded technology for both 
parties, necessarily lead to infinities which don't allow 
unproven continuity arguments, thus falsifying the proof. 
Alternative to the previous approach, we have the real- 
istic finite open system approach, in which unknown pa- 
rameters arc treated as such, without the need of any 
a priori probability distribution, in which we can ad- 
dress the problem for finite dimension with the param- 
eter s depending on it. As well known, the need of 



treating unknown parameters without a priori probabil- 
ity distribution is the reason why in detection and es- 
timation theory |D| |l6| we have both the minimax and 
the Bayesian approaches. Then, if one proceeds by treat- 
ing unknown parameters as such, no openly known state 
can be assumed, and the anonymous state encoding of 
Yuen|^|, ^| leads to the present classification of proto- 
cols. Notice that if the initial state \<p) is openly known, 
then for that given fixed states all QO's can be regarded 
as random unitary transformations (since all states are 
connected by unitary transformations), and this lead to 
the simple form of Alice cheating probability in terms 
of fidelities |^, ||, whereas in the present context the 
probability of cheating has the more involved form (p^), 
due to the fact that the state \(p) is unknown, and that 
there are QO's that don't admit random unitary Kraus 
decompositions. 

Finally, a few words on the possibility of aborting 
protocols. This possibility was not considered in Refs. 
[jl], ||, ||, since also this in practice arises as a conse- 
quence of not assuming openly known probabilities. In 
fact, in a closed model of interacting machines with puri- 
fied parameters, every transformation would be unitary. 
However, one could reasonably argue that if the protocol 
aborts, then another protocol must be started, and the 
procedure will be repeated as long as the bit is not suc- 
cessfully committed, and that such a succession of pro- 
tocols is itself a non aborting protocol. Such kind of 
protocols that could be chained ad infinitum can be re- 
garded as infinite convex combinations of protocols on 
infinite dimensional anonymous spaces H, (the QO will 
be trace-preserving only for infinite dimensions). Again 
one can see that a closed system approach necessarily 
lead to infinite dimensions. 



APPENDIX A: DERIVATION OF THE BOUNDS 
(§o|) AND @ FOR CHEATING PROBABILITIES 



Using Jensen inequality as suggested in Ref. pi, the 
Alice's cheating probability can be bounded from below 
as follows [here we use the abbreviate notation Fj = 

Ef{V)] 
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where we used \A\ 2 = A^A, and the fact that for P > 
one has ||P|| = sup^i^ (<p\P\(p). On the other hand, we 
have that 
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